From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 09E74138334 for ; Wed, 18 Sep 2019 21:11:55 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 11AC7E0938; Wed, 18 Sep 2019 21:11:51 +0000 (UTC) Received: from smtp.gentoo.org (mail.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id B7E81E0920 for ; Wed, 18 Sep 2019 21:11:50 +0000 (UTC) Received: from whubbs1.gaikai.biz (unknown [100.42.103.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: williamh) by smtp.gentoo.org (Postfix) with ESMTPSA id 6483534B37A for ; Wed, 18 Sep 2019 21:11:48 +0000 (UTC) Received: (nullmailer pid 8835 invoked by uid 1000); Wed, 18 Sep 2019 21:11:43 -0000 Date: Wed, 18 Sep 2019 16:11:43 -0500 From: William Hubbs To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] [PATCH 1/1] go-module.eclass: introduce new eclass to handle go modules Message-ID: <20190918211143.GA8809@whubbs1.dev.av1.gaikai.org> Mail-Followup-To: gentoo-dev@lists.gentoo.org References: <20190916141719.12922-1-williamh@gentoo.org> <20190916141719.12922-2-williamh@gentoo.org> <397fd9bd-d439-1876-c677-8e4a7ee8c7cf@gentoo.org> <3d5adfdf-ed54-8245-18f9-4922db627e98@gentoo.org> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="4Ckj6UjgE2iN1+kY" Content-Disposition: inline In-Reply-To: <3d5adfdf-ed54-8245-18f9-4922db627e98@gentoo.org> User-Agent: Mutt/1.10.1 (2018-07-13) X-Archives-Salt: 17a7b06e-c1f4-4ecb-ad80-e959442af4c8 X-Archives-Hash: 5375983a500397fef75f345549448517 --4Ckj6UjgE2iN1+kY Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Sep 18, 2019 at 12:28:29PM -0700, Zac Medico wrote: > On 9/18/19 11:04 AM, Alec Warner wrote: > >=20 > >=20 > > On Wed, Sep 18, 2019 at 10:50 AM Michael Orlitzky > > wrote: > >=20 > > On 9/16/19 10:17 AM, William Hubbs wrote: > > > + > > > +# @FUNCTION: go-module_pkg_postinst > > > +# @DESCRIPTION: > > > +# Display a warning about security updates for Go programs. > > > +go-module_pkg_postinst() { > > > +=A0 =A0 =A0ewarn "${PN} is written in the Go programming languag= e." > > > +=A0 =A0 =A0ewarn "Since this language is statically linked, secu= rity" > > > +=A0 =A0 =A0ewarn "updates will be handled in individual packages= and > > will be" > > > +=A0 =A0 =A0ewarn "difficult for us to track as a distribution." > > > +=A0 =A0 =A0ewarn "For this reason, please update any go packages= asap > > when new" > > > +=A0 =A0 =A0ewarn "versions enter the tree or go stable if you are > > running the" > > > +=A0 =A0 =A0ewarn "stable tree." > > > +} > > > + > > > +fi > > > > >=20 > > This word salad is 100% misinformation that gets tangled in itself > > trying to apologize for what we're about to do: > >=20 > > =A0 * Go is not a "statically linked language." There's gccgo, and = as Alec > > =A0 =A0 pointed out, the official compiler has supported dynamic li= nking for > > =A0 =A0 years now. > >=20 > >=20 > > I'm actually pretty fine with this wording, upstream has said not to > > dynamically link in these use cases. > > =A0 > >=20 > >=20 > > =A0 * Updating DOES NOT HELP AT ALL. That's the whole problem. You'= re > > =A0 =A0 trying to make it sound like we haven't thrown people under= a bus, > > =A0 =A0 but saying "for this reason, please update..." is just misl= eading. > >=20 > > Here's what it should say: > >=20 > > =A0 WARNING: due to a lack of manpower/interest, Go packages on Gen= too > > =A0 are statically linked. Contrary to our existing policies and wh= at > > =A0 the website says, Go packages will never receive any security u= pdates > > =A0 on Gentoo. Use at your own risk! > >=20 > >=20 > > So if the package *maintainer* bumps each package every time it, or a > > dep has a security issue; then updating will work fine. > > I'm skeptical go maintainers are volunteering for this though. >=20 > There's a script here which helps to automate refresh of commit hashes > in EGO_VENDOR: >=20 > https://github.com/hsoft/gentoo-ego-vendor-update >=20 > Just now I've used it to refresh vendored dependencies in > net-misc/drive: >=20 > https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3D3993b893d4788b= eaad945bc82df0f4efd91ce697 I have seen that script, and it really doesn't work for modules. it would need to parse go.mod and grab the dependencies based on the information in that file. William --4Ckj6UjgE2iN1+kY Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- iF0EARECAB0WIQTVeuxEZo4uUHOkQAluVBb0MMRlOAUCXYKdhwAKCRBuVBb0MMRl OAq5AKCc6nB2du5rESSYgZ81ZCZd+YbLLwCgppG4GvfRrjNFM6hWL1sRsAsxhYk= =dNt+ -----END PGP SIGNATURE----- --4Ckj6UjgE2iN1+kY--